ClickLight/.github/workflows/release.yml at main · aurorascharff/ClickLight · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: Release

on:
  push:
    tags:
      - "v*"

permissions:
  contents: read

concurrency:
  group: release-${{ github.ref }}
  cancel-in-progress: false

jobs:
  build:
    name: Build, sign, notarize, and publish
    runs-on: macos-26
    environment: release
    permissions:
      actions: write # Required to dispatch checks for the generated metadata pull request.
      contents: write # Required to create the GitHub Release and push its metadata branch.
      pull-requests: write # Required to open the release metadata pull request.

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
        with:
          persist-credentials: false

      - name: Get version
        id: version
        run: echo "version=${GITHUB_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"

      - name: Import code signing certificate
        env:
          CERTIFICATE_P12: ${{ secrets.CERTIFICATE_P12 }}
          CERTIFICATE_PASSWORD: ${{ secrets.CERTIFICATE_PASSWORD }}
        run: |
          KEYCHAIN_PATH="$RUNNER_TEMP/app-signing.keychain-db"
          KEYCHAIN_PASSWORD="$(openssl rand -base64 32)"
          security create-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security set-keychain-settings -lut 21600 "$KEYCHAIN_PATH"
          security unlock-keychain -p "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"

          echo "$CERTIFICATE_P12" | base64 --decode > "$RUNNER_TEMP/certificate.p12"
          security import "$RUNNER_TEMP/certificate.p12" -P "$CERTIFICATE_PASSWORD" -A -t cert -f pkcs12 -k "$KEYCHAIN_PATH"
          security set-key-partition-list -S apple-tool:,apple: -k "$KEYCHAIN_PASSWORD" "$KEYCHAIN_PATH"
          security list-keychain -d user -s "$KEYCHAIN_PATH"

          curl -sL https://www.apple.com/certificateauthority/DeveloperIDG2CA.cer -o "$RUNNER_TEMP/DeveloperIDG2CA.cer"
          security import "$RUNNER_TEMP/DeveloperIDG2CA.cer" -k "$KEYCHAIN_PATH" || true

      - name: Build and notarize
        env:
          SIGNING_IDENTITY: ${{ secrets.SIGNING_IDENTITY }}
          APP_STORE_CONNECT_KEY: ${{ secrets.APP_STORE_CONNECT_KEY }}
          APP_STORE_CONNECT_KEY_ID: ${{ secrets.APP_STORE_CONNECT_KEY_ID }}
          APP_STORE_CONNECT_ISSUER_ID: ${{ secrets.APP_STORE_CONNECT_ISSUER_ID }}
        run: ./build-app.sh --release --notarize

      - name: Create zip
        run: ditto -c -k --keepParent "ClickLight.app" ClickLight.zip

      - name: Download Sparkle tools
        run: |
          curl -L -o /tmp/sparkle.tar.xz "https://github.com/sparkle-project/Sparkle/releases/download/2.9.2/Sparkle-2.9.2.tar.xz"
          cd /tmp && tar xf sparkle.tar.xz

      - name: Sign Sparkle update
        id: sparkle
        env:
          SPARKLE_PRIVATE_KEY: ${{ secrets.SPARKLE_PRIVATE_KEY }}
        run: |
          echo "$SPARKLE_PRIVATE_KEY" > /tmp/sparkle_key
          OUTPUT=$(/tmp/bin/sign_update ClickLight.zip -f /tmp/sparkle_key)
          SIGNATURE=$(echo "$OUTPUT" | sed -n 's/.*sparkle:edSignature="\([^"]*\)".*/\1/p')
          LENGTH=$(echo "$OUTPUT" | sed -n 's/.*length="\([^"]*\)".*/\1/p')
          echo "signature=$SIGNATURE" >> "$GITHUB_OUTPUT"
          echo "length=$LENGTH" >> "$GITHUB_OUTPUT"
          rm /tmp/sparkle_key

      - name: Update Homebrew cask
        env:
          VERSION: ${{ steps.version.outputs.version }}
        run: |
          SHA=$(shasum -a 256 ClickLight.zip | awk '{print $1}')
          sed -i '' "s/version \".*\"/version \"$VERSION\"/" Casks/clicklight.rb
          sed -i '' "s/sha256 \".*\"/sha256 \"$SHA\"/" Casks/clicklight.rb

      - name: Update appcast
        env:
          VERSION: ${{ steps.version.outputs.version }}
          SIGNATURE: ${{ steps.sparkle.outputs.signature }}
          LENGTH: ${{ steps.sparkle.outputs.length }}
        run: |
          DATE=$(date -u +"%a, %d %b %Y %H:%M:%S +0000")
          cat > appcast.xml << EOF
          <?xml version="1.0" encoding="utf-8"?>
          <rss version="2.0" xmlns:sparkle="http://www.andymatuschak.org/xml-namespaces/sparkle">
            <channel>
              <title>ClickLight</title>
              <item>
                <title>Version ${VERSION}</title>
                <sparkle:version>${VERSION}</sparkle:version>
                <sparkle:shortVersionString>${VERSION}</sparkle:shortVersionString>
                <pubDate>${DATE}</pubDate>
                <enclosure url="https://github.com/aurorascharff/ClickLight/releases/download/v${VERSION}/ClickLight.zip"
                           type="application/octet-stream"
                           length="${LENGTH}"
                           sparkle:edSignature="${SIGNATURE}"/>
              </item>
            </channel>
          </rss>
          EOF

      - name: Create release
        env:
          GH_TOKEN: ${{ github.token }}
          VERSION: ${{ steps.version.outputs.version }}
        run: gh release create "v${VERSION}" ClickLight.zip --generate-notes

      - name: Open release metadata pull request
        env:
          GH_TOKEN: ${{ github.token }}
          VERSION: ${{ steps.version.outputs.version }}
        run: |
          BRANCH="release/v${VERSION}-metadata"
          cp Casks/clicklight.rb "$RUNNER_TEMP/clicklight.rb"
          cp appcast.xml "$RUNNER_TEMP/appcast.xml"

          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          AUTH_HEADER=$(printf "x-access-token:%s" "$GH_TOKEN" | base64 | tr -d '\n')
          git restore Casks/clicklight.rb appcast.xml
          git -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${AUTH_HEADER}" fetch origin main
          git switch -c "$BRANCH" origin/main
          cp "$RUNNER_TEMP/clicklight.rb" Casks/clicklight.rb
          cp "$RUNNER_TEMP/appcast.xml" appcast.xml
          git add Casks/clicklight.rb appcast.xml
          git commit -m "Update release metadata for v${VERSION}"
          git -c "http.https://github.com/.extraheader=AUTHORIZATION: basic ${AUTH_HEADER}" push origin "$BRANCH"
          gh pr create \
            --base main \
            --head "$BRANCH" \
            --title "Update release metadata for v${VERSION}" \
            --body "Updates the Homebrew cask and Sparkle appcast for the published v${VERSION} release. Merge this PR to make the release available through Homebrew upgrades and in-app updates."
          gh workflow run security.yml --ref "$BRANCH"
          gh workflow run pr-smoke.yml --ref "$BRANCH"